diff --git a/lib/gitlab/email/receiver.rb b/lib/gitlab/email/receiver.rb
index 2b57b3a20fc3515ced3b31d16d24d1dc6f51e698..714f45d2d4391c77165f7680d0df137bd5e9ffc3 100644
--- a/lib/gitlab/email/receiver.rb
+++ b/lib/gitlab/email/receiver.rb
@@ -87,6 +87,8 @@ module Gitlab
       end
 
       # Find the first matched user in database from email From: section
+      # TODO: Since this address could be forged, we should have some kind of
+      #       auth token attached somewhere to verify the identity better.
       def message_sender
         @message_sender ||= message.from.find do |email|
           user = User.find_by_any_email(email)